NCSA/Apache httpd ScriptAlias Source Retrieval Vulnerability
BID:2300
Info
NCSA/Apache httpd ScriptAlias Source Retrieval Vulnerability
| Bugtraq ID: | 2300 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | Yes |
| Published: | Sep 25 1999 12:00AM |
| Updated: | Sep 25 1999 12:00AM |
| Credit: | Discovery information is not currently known - this vulnerability is associated with CVE-1999-0236. |
| Vulnerable: |
NCSA httpd 1.5 a-export NCSA httpd 1.4.2 NCSA httpd 1.4.1 NCSA httpd 1.4 NCSA httpd 1.3 Apache Apache 0.8.14 Apache Apache 0.8.11 |
| Not Vulnerable: |
Apache Apache 1.0 |
Discussion
NCSA/Apache httpd ScriptAlias Source Retrieval Vulnerability
NSCA httpd prior to and including 1.5 and Apache Web Server prior to 1.0 contain a bug in the ScriptAlias function that allows remote users to view the source of CGI programs on the web server, if a ScriptAlias directory is defined under DocumentRoot. A full listing of the CGI-BIN directory can be obtained if indexing is turned on, as well. This is accomplished by adding multiple forward slashes in the URL (see exploit). The web server fails to recognize that a ScriptAlias directory is actually redirected to a CGI directory when this syntax is used, and returns the text of the script instead of properly executing it. This may allow an attacker to audit scripts for vulnerabilities, retrieve proprietary information, etc.
NSCA httpd prior to and including 1.5 and Apache Web Server prior to 1.0 contain a bug in the ScriptAlias function that allows remote users to view the source of CGI programs on the web server, if a ScriptAlias directory is defined under DocumentRoot. A full listing of the CGI-BIN directory can be obtained if indexing is turned on, as well. This is accomplished by adding multiple forward slashes in the URL (see exploit). The web server fails to recognize that a ScriptAlias directory is actually redirected to a CGI directory when this syntax is used, and returns the text of the script instead of properly executing it. This may allow an attacker to audit scripts for vulnerabilities, retrieve proprietary information, etc.
Exploit / POC
NCSA/Apache httpd ScriptAlias Source Retrieval Vulnerability
To retrieve the contents of http://targethost/cgi-bin/script.cgi an attacker would use the following URL, provided the directory cgi-bin is redirected using ScriptAlias:
http://targethost///cgi-bin/script.cgi
To retrieve the contents of http://targethost/cgi-bin/script.cgi an attacker would use the following URL, provided the directory cgi-bin is redirected using ScriptAlias:
http://targethost///cgi-bin/script.cgi
Solution / Fix
NCSA/Apache httpd ScriptAlias Source Retrieval Vulnerability
Solution:
Upgrade to a current version of Apache httpd. This problem was reportedly fixed with version 1.0 of the server.
Solution:
Upgrade to a current version of Apache httpd. This problem was reportedly fixed with version 1.0 of the server.
References
NCSA/Apache httpd ScriptAlias Source Retrieval Vulnerability
References:
References:
- Re: Audit Project Progess Reports for TheIIA Website (Frederick Gallegos)
- ScriptAlias Directive Web Server Vulnerability (ohio-state.edu)
- The Most Comprehensive List of CGI & httpd Bugs ([email protected])